The SEC recently settled charges against R.R. Donnelley & Sons Co. for failing to maintain adequate internal accounting and disclosure controls and procedures in connection with a cybersecurity incident. The settlement resulted in Donnelley’s payment of a $2.125 million civil penalty and a cease-and-desist order. We believe this action represents a very broad and expansive interpretation by the SEC of its jurisdiction in this area, continuing a troubling pattern of expansion of the SEC’s role in matters outside its customary jurisdiction. It’s particularly disturbing in cases like this one, where the purported violations did not appear to have any impact on Donnelley’s financial reporting or accounting controls.
Donnelley’s business operations require it to maintain and store large amounts of sensitive client business and financial information. In the incident in question, criminals executed a cyberattack that resulted in an intrusion into Donnelley’s network, theft of sensitive network data, encryption of computers, a ransomware demand, and disruptions in Donnelley’s ability to provide its services. Donnelley’s internal investigation, however, concluded that none of its financial systems or financial or accounting information was accessed by the criminals.
The SEC based its jurisdiction in this matter on provisions of the Securities Exchange Act of 1934 and Rule 13a-15(a) under the Act, which require covered companies to maintain internal accounting and disclosure controls sufficient to enable a company to accurately record transactions and assets and to prepare financial statements in accordance with GAAP. These controls and procedures must be designed to ensure that all required information is disclosed within the time periods specified by the SEC. In particular, the SEC claimed that Donnelley had failed to develop and implement sufficient internal controls in connection with this cybersecurity incident and failed to provide clear guidance to internal and external personnel regarding procedures for responding to this type of incident.
Commissioners Peirce and Uyeda dissented from the SEC’s order on the basis that the SEC exceeded its jurisdiction by bringing charges that are based on an alleged lack of controls unrelated to internal accounting or disclosure controls. According to the dissenting Commissioners, the SEC’s actions ignore the distinction between internal accounting controls and broader administrative controls. This is actually the third action, including recent actions involving SolarWinds Corporation and Charter Communications, in which these Commissioners have dissented on similar grounds. (This is not the first time – and will likely not be the last – that the SEC has used these so-called “books and records” provisions to penalize a company, despite the apparent absence of any impact on financial reporting. For example, in February 2023, Activision Blizzard agreed to a cease-and-desist order and a $35 million civil penalty for failing to maintain disclosure controls and procedures relating to employment practices, even though the SEC found no disclosure violations. Commissioner Peirce also issued what can fairly be described as a scathing dissent in the Activision Blizzard case.)
We agree with the dissenting Commissioners. The SEC’s actions represent a troubling expansion of jurisdiction without a clear nexus to any accounting or disclosure control mechanisms. As expressed by the dissenting Commissioners, the expansion of the SEC’s jurisdiction as seen in these matters will allow the SEC to essentially regulate public companies’ practices in cybersecurity – or virtually any other area of their operations, even in the absence of any deficiency in the companies’ accounting or disclosure control procedures. This expansion of jurisdiction could conceivably allow the SEC to exert jurisdiction and levy penalties in connection with any public company cybersecurity breach. This is a departure from the SEC’s true mission and does not offer substantial protection to an affected company’s stockholders. Any cybersecurity breach or incident is itself a significantly troubling event for a company, and the added burden of an SEC action and the related penalties will in many cases constitute excessive punishment at a very vulnerable time for the company without providing additional protection – or even any benefit – to stockholders.
Please direct any questions or observations to Gunster technology practice leader, Bob White, or its securities law and corporate governance practice leader, Bob Lamm.
YES! PLEASE SIGN ME UP TO RECEIVE EMAIL ALERTS FROM OTHER GUNSTER PRACTICE AREAS.
This publication is for general information only. It is not legal advice, and legal counsel should be contacted before any action is taken that might be influenced by this publication.
About Gunster
Gunster, Florida’s law firm for business, provides full-service legal counsel to leading organizations and individuals from its 12 offices statewide. Established in 1925, the firm has expanded, diversified and evolved, but always with a singular focus: Florida and its clients’ stake in it. A magnet for business-savvy attorneys who embrace collaboration for the greatest advantage of clients, Gunster’s growth has not been at the expense of personalized service but because of it. The firm serves clients from its offices in Boca Raton, Fort Lauderdale, Jacksonville, Miami, Naples, Orlando, Palm Beach, Stuart, Tallahassee, Tampa, Vero Beach, and its headquarters in West Palm Beach. With more than 290 attorneys and consultants, and over 290 committed support staff, Gunster is ranked among the National Law Journal’s list of the 500 largest law firms and has been recognized as one of the Top 100 Diverse Law Firms by Law360. More information about its practice areas, offices and insider’s view newsletters is available at www.gunster.com